Tony Morbin explains that board members must be accountable for cyber security and sets out how they should approach this.
You’re on the board, you understand risk and compliance, you accept the accountability of the role. You are responsible for what you do or don’t do and its impact on your organisation.
Why is cyber security different? Why is it your concern when IT isn’t your area of expertise?
Cyber-attacks, or even just mistakes due to poor cyber-practice, can bring down the entire business. Cyber-criminals, hackers or employees who enable breaches can have devastating effects on your organisation, halting operations including sales, stealing your assets, giving all your research and secrets to the opposition, trashing your reputation, and incurring fines of 4% of global turnover.
It’s NOT just an IT issue. As a member of the board, you need a general understanding of cyber-security risk to provide oversight of your specialists, and make appropriate business-risk decisions. Don’t micro-manage the professionals, but be ready to investigate if concerns are raised.
Nothing you can do will provide 100% defence, and insurance only covers some losses. It’s about prioritisation, mitigation and resilience.
Since the 2013 resignation of US retailer Target's CEO, President and Chairman following a massive data breach, cyber breaches have been acknowledged as a personal threat to organisational leaders, with several board members losing their jobs in the aftermath of cyber-attacks. Not because they failed to defend the indefensible, but because they failed to fix known or foreseeable vulnerabilities.
Board responsibilities for cyber security
The UK’s Financial Conduct Authority describes compliance with the EU's GDPR (General Data Protection Regulation) as a board level responsibility, saying that firms must be able to produce evidence to demonstrate the steps that they have taken to comply. The UK's ICO (Information Commissioner’s Office) notes that such actions “may help you mitigate enforcement action.”
Your first duty as a board member is to know what regulations, laws and standards apply to your sector and business. In addition to GDPR rules, similar laws now apply to personal data security in California, with more mooted elsewhere. In addition there are rules applying to particular types of organisation, such as rules on physical critical infrastructure outlined in the Security of Network and Information Systems (NIS) regulations. Your organisation may also have decided to comply with accepted technical standards, guidelines and practices, such as ISO 27001, ISA 62443 and COBIT 5.
Next, ensure you’ve looked at your organisational structure, come up with a best practice strategy and allocated sufficient budget, technical resource, management skills and expertise to implement it. If you don’t have expertise on the board, don’t rely on a consultant. Bring in technical and security skills such as a CTO or a CIO; or you could promote the CISO to the board, or set up a board committee for security and privacy oversight.
You will probably have someone responsible for personal data protection (and if you don't, you should). Integrate your cyber security and privacy operations, and recognise that issues such as cyber threats from insiders are not just IT issues but also business continuity and HR issues.
Risk management frameworks
Throwing money at the problem doesn’t work. Gartner reports that: “…after years of quarterly reporting on cyber-security to their boards, boards are now pushing back and asking for improved data and understanding of what they have achieved after years of such heavy investment."
A good starting point to understand what good looks like are the various government support initiatives including the UK's NCSC’s Board Toolkit, and the US NIST cyberframework.
The right metrics
Having established and communicated an enterprise-wide risk management framework, the board then needs to make senior management accountable for delivering a clear and measurable security strategy with metrics to track performance.
This should include identifying the business’ critical assets: this will enable you to prioritise which risks you must seek to avoid, those you can accept, others you can mitigate, or those you might transfer through insurance. All parts of the company must have input into the strategy including legal, privacy, physical security and crisis management. Conduct a data audit and create a register of all company cyber risks identified, including data, locations, access points, security devices and other related information – prior to prioritisation. External verification can also be aided by deploying ethical hackers to test your systems.
The right safeguards
Its necessary to ensure the company has deployed appropriate safeguards to prevent intrusions, conducted continuous security monitoring and deployed detection processes to discover breaches. And you organisation needs to conduct comprehensive incident response planning and implementation exercises, and develop plans and activities to resume normal operation.
Personal data needs special safeguards. The ICO recommends adopting and implementing appropriate data protection policies; taking a ‘data protection by design and default’ approach; putting written contracts in place with organisations that process personal data on your behalf; recording and, where necessary, reporting personal data breaches; adhering to relevant codes of conduct and signing up to certification schemes. You also need to review and, where necessary, update the measures you put in place.
Cyber-security is a responsibility for everyone in an organisation and the board leads by example, in both its own secure use of sensitive data, and by creating an organisation-wide security-aware culture of accountability.
As the NCSC makes clear, defining good cyber security is not one size fits all: “it has to be appropriate to your systems, your processes, your staff, your culture and, critically, has to be appropriate for the level of risk you are willing to accept.” And that’s a board responsibility.
Tony Morbin is a freelance security writer.
Main image courtesy of iStockPhoto.com